Document Sample
chapter20 Powered By Docstoc
  All-In-One Edition
Chapter 20 – Forensics

    Brian E. Brzezicki
Forensics – What is it?
Main concerns
  – Investigating and analyzing computer systems
    used in violation of laws
  – Investigating computer systems for
    compliance with company policies
  – Investigating computers systems that have
    been attacked. (part of incident response)
        Forensics and Laws
• Forensics deals with legal concerns more
  than most other IT related duties.
• Evidence must be collected if you want to
  take legal action.
• Computers and networks is troubling with
  evidence as it is hard to “sense” and hard
  to prove. In fact it’s generally considered
  “hearsay” evidence
           Random Thought
Unlike many other areas of security which can
 mix and match. Forensics should always be
 done by a dedicated forensics person.
 Forensics is a structured PROCESS for data
 and evidence collection and should always be
 done by someone who specifically focuses on
 these processes and proceedures
      Standards for Evidence
For evidence to be considered credible it
 generally must be
  – Sufficient – convincing on it’s own
  – Competent – legally allowed and “reliable”
  – Relevant – must be material to the case and
    have bearing on the matter in question

            Types of Evidence
Some evidence is “stronger” than others. There are a
  few types of evidence
• Direct Evidence - supports the truth of an assertion
  – example a witness who testifies they were
  present with and saw when a hacker broke into
• Circumstantial Evidence – indirectly proves a fact,
  may back up another fact that is used to prove an
• Real Evidence – tangible evidence that proves or
  disproves a fact. (ex fingerprints)
        Types of Evidence
– Documentary Evidence – printouts, manuals,
  records etc. Most type of computer evidence
  is of this type
– Demonstrative Evidence – a model or display
  used to aid the jury in understanding that an
  event occurred.
           3 rules of evidence
1. Best Evidence rule – courts prefer the original
   evidence, rather than copies.
2. Exclusionary rule – evidence illegally seized
   cannot be used. If evidence is collected in
   violation of the Electronics Communication
   Privacy Act. It will be excluded… that means a
   company MUST have a policy and employees
   understand that they are being monitored if a
   company wants to use computer evidence against
3. Hearsay – hearsay is second hand evidence, not
   gathered from the personal knowledge of a
   witness. Computer generated evidence is hearsay
        Evidence Collection
• Evidence should be collected in a way that
  is reliable and doesn’t compromise the
  evidence itself!
• Sometimes when you notice a break in
  you have to weigh the costs of “stopping”
  the activity (turning off server) against
  keeping it running? Why? Anybody?

         Evidence Collection
Steps in collecting evidence on a machine
1. Dump system memory
2. Power down system
3. Do a bit level image of the machine, using
   an stand alone machine (not the machine in
4. Analyze the image

           Evidence Collection
• When imaging a hard drive you should make at least 3
• The original drive AND a 1 copy of the original should be
  stored away
• The 2nd copy should be used for file authentication
• The 3rd should be the drive you analyze
• You should never use the tools on the computer in
  question, you should use a clean “forensics station” to
  analyze the hard drives. (why?)
• You should always record the checksums of all the files
  on the computer before analysis (do example). See
  related next slide (tripwire)
Tripwire screen shot
         Evidence Collection
• Evidence should be marked when
  – Investigator, case number, date, time,
    location, description
• A log book of evidence should be
• There should be a witness to verify
  evidence collection
         Evidence Protection
• You must protect the evidence physically
  from damage and tampering
  – Protect from heat/cold
  – Vibration
  – Magnetic fields
  – If a device can receive electronic signals..
    Shield the device
      Transporting evidence
• Log all times someone removes evidence
• Be careful when transporting
          Storing Evidence
• Store evidence in a locked away and
  monitored/guarded area.
             Chain of Custody
Once collected you must protect evidence from
  tampering. Chain of Custody shows who obtained
  evidence, where it was stored, and how had access
  to it.
• Record each item
• Record who collected it and where, when
• Description of evidence
• Tagged and sealed
• Obtain signature from anyone accepting evidence
• Provide signatures and seals whenever evidence is
• Provide controls against tampering while in storage
       Conducting the investigation
•   Have a formal procedure before hand!
•   Have a professional do the analysis
•   Take pictures before hand
•   Use a forensics station or a live CD for analysis
    (what is a live CD?)
•   Image the hard drives multiple times with a bit level
    method, work only on a copy
•   Label hard drive and store in anti-static bag
•   Before doing any analysis, do a checksum on all
    files and store that info. (why?)
•   Keep a log of what you did and why, be able to
    explain and justify any actions taken.
             File Deletion Terms
When a user deletes a file, it’s not actually removed
  (unless using a highly secure OS) Some important
  terms relating to this are
• Free space – the space a file takes up that is still
  available after deletion (before something else uses
• Slack space – When file space is allocated, it is done
  in fixed sized blocks. A file will not actually use all this
  space. The unused area of a file even when in use is
  called the slack space. Information may be hidden in
  this space. (see visualization)
               Slack Space

Hackers can hide data in the slack space to avoid
  Chapter 20 – Review Questions
Q. What is the concept of best evidence

Q. When you want to do forensics on a
 computer, you should make a copy of the
 hard drive. What type of copy should you

Q. What is the MINIMUM number of copies you
 should make of the original hard drive
  Chapter 20 – Review Questions
Q. Put these step of analysis in the correct order
   A.   Analyze the Drive
   B.   Power down the system
   C.   Dump Memory
   D.   Image the hard drive

Q. Why do you run checksums/hashes on the original files
    before analysis?

Q. Why should someone witness you as you collect the

Q. What is the difference between “free space” and “slack

Shared By: